Flax Typhoon APT Group Exploits ArcGIS for Persistent Access
Summary
Hide ▲
Show ▼
The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs.
Timeline
-
14.10.2025 15:00 3 articles · 9h ago
Flax Typhoon APT Group Exploits ArcGIS for Persistent Access
The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.
Show sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
Information Snippets
-
The Flax Typhoon APT group exploited a public-facing ArcGIS application to establish a persistent backdoor.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The malicious SOE was stored in the victim’s backups, persisting even after remediation and patching.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The group targeted a public-facing ArcGIS server connected to an internal server for backend computations.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers compromised a portal administrator account and deployed a malicious SOE.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attack targeted IT staff workstations within the scanned subnet.
First reported: 14.10.2025 15:003 sources, 3 articlesShow sources
- Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence — www.infosecurity-magazine.com — 14.10.2025 15:00
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software.
First reported: 14.10.2025 15:282 sources, 2 articlesShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S.
First reported: 14.10.2025 15:281 source, 1 articleShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
-
The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers.
First reported: 14.10.2025 15:281 source, 1 articleShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
-
Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs.
First reported: 14.10.2025 15:281 source, 1 articleShow sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
-
The Flax Typhoon APT group is also tracked as Ethereal Panda and RedJuliett.
First reported: 14.10.2025 19:551 source, 1 articleShow sources
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The U.S. government assesses Flax Typhoon to be a publicly-traded, Beijing-based company known as Integrity Technology Group.
First reported: 14.10.2025 19:551 source, 1 articleShow sources
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal.
First reported: 14.10.2025 19:551 source, 1 articleShow sources
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network.
First reported: 14.10.2025 19:551 source, 1 articleShow sources
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
-
The attackers reset the password of the administrative account.
First reported: 14.10.2025 19:551 source, 1 articleShow sources
- Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year — thehackernews.com — 14.10.2025 19:55
Similar Happenings
Increased Scanning for PAN-OS GlobalProtect Vulnerability
SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.
ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks
The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.
Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment
Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.